Vulnerability Details : CVE-2015-5723
Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.
Products affected by CVE-2015-5723
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-cache:*:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-cache:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-cache:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zend-cache:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:zend:zf-apigility-doctrine:*:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:mongodb-odm:*:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:annotations:*:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:common:*:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:common:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:common:2.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:*:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:object_relational_mapper:2.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:doctrinemongodbbundle:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:cache:*:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:cache:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:doctrine-project:cache:1.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5723
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5723
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2015-5723
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5723
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IUUC7HPN4XE5NNTG4MR76OC662XRZUO/
[SECURITY] Fedora 24 Update: php-doctrine-common-2.5.3-1.fc24 - package-announce - Fedora Mailing-Lists
-
http://www.debian.org/security/2015/dsa-3369
Debian -- Security Information -- DSA-3369-1 zendframework
-
http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
Security Misconfiguration Vulnerability in various Doctrine projects - Doctrine: PHP Open Source ProjectVendor Advisory
-
http://framework.zend.com/security/advisory/ZF2015-07
Security Advisory - Security - Zend Framework
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPS7A54FQ2CR6PH4NDR6UIYJIRNFXW67/
[SECURITY] Fedora 23 Update: php-doctrine-common-2.5.3-1.fc23 - package-announce - Fedora Mailing-Lists
Jump to